Open imsidr opened 3 days ago
cwadhwani-splunk
commented
2 days ago @imsidr Can we please get sample logs or the pcap file to find the root cause. Also, did you get a chance to open a support ticket for this as mentioned by Rahul in the previous case? You can share the sample logs to cwadhwani@splunk.com
imsidr
commented
2 days ago Where is pcap file stored ?
From: cwadhwani-splunk @.> Sent: Friday, June 28, 2024 2:41 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513)
@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJgeYUEQg$ Can we please get sample logs or the pcap file to find the root cause. You can share the sample logs to @.**@.>
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2513*issuecomment-2196469208__;Iw!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJpy_Xz_w$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX3QTOGSYC3T7CI4KLLZJUSCJAVCNFSM6AAAAABKAAFLYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJWGQ3DSMRQHA__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdALgPmqfaQ$. You are receiving this because you were mentioned.Message ID: @.**@.>>
imsidr
commented
2 days ago @cwadhwani-splunk case #[3514354]
imsidr
commented
2 days ago Attached pcap file in case #3514354
From: Rai, Siddhartha @.> Sent: Friday, June 28, 2024 3:59 PM To: splunk/splunk-connect-for-syslog @.>; splunk/splunk-connect-for-syslog @.>; @. Cc: Mention @.***> Subject: RE: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513)
Where is pcap file stored ?
From: cwadhwani-splunk @.**@.>> Sent: Friday, June 28, 2024 2:41 PM To: splunk/splunk-connect-for-syslog @.**@.>> Cc: Rai, Siddhartha @.**@.>>; Mention @.**@.>> Subject: Re: [splunk/splunk-connect-for-syslog] data is not going to defined sourcetype- Previous ticket #2510 (Issue #2513)
@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJgeYUEQg$ Can we please get sample logs or the pcap file to find the root cause. You can share the sample logs to @.**@.>
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2513*issuecomment-2196469208__;Iw!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdAJpy_Xz_w$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJX3QTOGSYC3T7CI4KLLZJUSCJAVCNFSM6AAAAABKAAFLYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJWGQ3DSMRQHA__;!!JJ-tOIoKdBzLSfV5jA!tmQBRV6W17z0CQrmNqvfQg_XhiPOlfeaRUFFhrW4qYKDBzIe2ECHzkSYA9sFEYbvqF37lCsVbuVTt8Dn-2jb8ffUdALgPmqfaQ$. You are receiving this because you were mentioned.Message ID: @.**@.>>
Was the issue replicated by support?
What is the sc4s version ? 3.19.0
Which operating system (including its version) are you using for hosting SC4S? docker container
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Is the issue related to the environment of the customer or Software related issue? Not Sure
Is it related to Data loss, please explain ? Protocol? Hardware specs?
Last chance index/Fallback index? sc4s index
Is the issue related to local customization? Not sure
Do we have all the default indexes created? NA Describe the bug - the sourcetype is not the same as defined in parser. the data is ending up in cisco:ise:syslog sourcetype and i dont have any poc:syslog sourcetype configured but i see data for that too
block parser app-dest-cisco_ise-postfilter() { channel { rewrite { r_set_splunk_dest_default( index("cisco") sourcetype('cisco:ise') vendor("cisco") product("ise") ); }; }; }; application app-dest-cisco_ise-postfilter[sc4s-postfilter] { filter { host("ise*" type(glob) flags(ignore-case)); }; parser { app-dest-cisco_ise-postfilter(); }; };